1 / 11

Lecture 4 Introduction to Promela

Lecture 4 Introduction to Promela. Promela and Spin. Promela - pro cess me ta la nguage G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic creation of concurrent processes communication via message channels synchronous communication (rendez-vous)

simpsont
Download Presentation

Lecture 4 Introduction to Promela

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 4 Introduction to Promela

  2. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic creation of concurrent processes communication via message channels synchronous communication (rendez-vous) asynchronous communication (buffered) Spin - tool for analysing Promela programs for simulation, random or interactive for verification of state space e.g. absence of deadlock unexecutable code non-progress execution cycles linear time temporal properties model-checker

  3. Promela Programs Consist of processes (global) which specify behaviour message channels variables channels and variables are global or local and only updated by processes. Processes process declaration proctype A (byte state; short foo) { (state == 1) -> state = foo } instantiation A(1,3) creation run A(1,3) run A(1,3); run A(1,4) (; is separator) init - must be declared in every Promela program init { run A(1,3); run A(1,4)}

  4. Executability Processes contain statements conditions No difference between conditions and statements: either executable or blocked. 1 represents True; 0 represents False. So, if a statement evaluates to 0, then it is blocked. If it evaluates to 1, then it is executable. (a == b) This is busywaiting: while (a ~=b) do skip A process terminates (and disappears) when it reaches the end of its body and all the processes it started have terminated.

  5. Basic Data Types • Numbers • bit 0 .. 1 • byte 0 .. 255 • short - (2^15)-1 .. (2^15)-1 • int - (2^31)-1 .. (2^31)-1 • bool is a synonym for bit. • Initialisation upon declaration • e.g. • bit x=1;

  6. Concurrency byte state = 1; proctype A{} {(state == 1) -> state = state + 1 } proctype B{} {state == 1) -> state = state - 1 } init {run A{}; run B{} } Behaviour if A completes before B has started, B will block forever. Final value of state will be 2. if A completes before B has started, B will block forever. Final value of state will be 0. if A and B pass the condition at the same time, then final value of state is 1.

  7. An Example: Critical Section Grant processes A and B mutually exclusive access to portions of code. Requires 3 additional variables (Dekker).

  8. An Example: Critical Section #define true 1 #define false 0 #define Aturn false #define Bturn true bool x=false; bool y=false; bool t; proctype A{} { x = true; t= Bturn; (y == false | t == Aturn); /*critical section */ x = false } proctype B{} {y = true; t= Aturn; (x == false | t == Bturn); /*critical section */ y = false } init {run A{}; run B{} }

  9. Atomic Sequences byte state = 1; proctype A{} {atomic {(state == 1) -> state = state + 1} } proctype B{} {atomic {state == 1) -> state = state - 1} } init {run A{}; run B{} } Behaviour Final value of state will be 2. or Final value of state will be 0. Atomicity reduces interleaving reduces complexity only first statement can be blocking, no others good for dealing with local variable updates

  10. Control Flow Case Selection if :: (a != b) -> state = 1 :: (a == b) -> state = 0 fi first statement in each choice is guard choice is selected if its guard is executable if more than one guard is exectable then choice is nondeterminstic Processes can be labelled: loop: x=x+1; goto loop

  11. Control Flow Repetition byte count; proctype counter() {do :: count = count + 1 :: count = count - 1 :: count == 0 -> break od} one choice selected, per repetition possibility to break, but could loop infinitely often To force a break: • byte count; • proctype counter() • {do • :: (count != 0) -> • if • :: count = count + 1 • :: count = count - 1 • fi • :: (count == 0) -> break • od}

More Related